Blaszok 3.9.3 Theme exploit, theme options exposed

Exposed Options

This type of vulnerability means that an attacker can set, update and/or read the options stored for a theme or a plugin.

A lot of premium themes and plug-in developers try to implement their own system in which they store settings and options related to the product. There are quite a few ready-made solutions that can not only can cut back development time, but chances are that they are much more secure as well. One prime example would be the Redux framework.

Blaszok issues

I looked at the Blaszok eCommerce theme because it is listed under the eCommerce tag on ThemeForest.

I usually look at the low hanging fruits first wp_ajax, admin_init, unserialize, etc and this showed up (/themes/blaszok/panel/options-framework.php):

Both mpcth_export_settings and mpcth_import_settings do not check for capability or a nonce. This, under normal circumstances, would be an Authenticated stored XSS or exposed theme options, but because this theme is an eCommerce theme, chances are huge that WooCommerce is installed.

And if a theme has WooCommerce, chances are big that users can register under the customer role, and after they log in as a customer can call the mpcth_export_settings and the mpcth_export_settings endpoint.